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Abstract. In this note, we provide complexity characterizations of model 
checking multi-pushdown systems. Multi-pushdown systems model re- 
cursive concurrent programs in which any sequential process has a fi- 
nite control. We consider three standard notions for boundedness: context 
boundedness, phase boundedness and stack ordering. The logical formal- 
ism is a linear-time temporal logic extending well-known logic CaRet but 
dedicated to multi-pushdown systems in which abstract operators (re- 
lated to calls and returns) such as those for next-time and until are pa- 
rameterized by stacks. We show that the problem is ExpTlME-complete 
for context-bounded runs and unary encoding of the number of context 
switches; we also prove that the problem is 2ExpTlME-complete for phase- 
bounded runs and unary encoding of the number of phase switches. In 
both cases, the value k is given as an input (whence it is not a constant 
of the model-checking problem), which makes a substantial difference in 
the complexity. In certain cases, our results improve previous complexity 
results. 



1 Introduction 

Multi-pushdown systems. Verification problems for pushdown systems, systems 
with a finite automaton and an unbounded stack, have been extensively stud- 
ied and decidability can be obtained as in the case for finite-state systems. In- 
deed, many problems of interest like computing pre*(X) (set of configurations 
reaching a regular set X), post*(X) (set of configurations accessible from a reg- 
ular set X), reachability and LTL model checking have been shown to be de- 
cidable [11,16,22,28]. More precisely, existence of infinite runs with Buchi ac- 
ceptance condition is decidable for pushdown systems. The proof is based on 
the fact that pre*(X) is computable and regular for any regular set X of con- 
figuration (post*(X) is also regular and computable) [11]. These have also been 
implemented, for instance in the model-checker Moped [22]. It can be argued 
that they are natural models for modeling recursive programs. Two limitations 
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though of the model are the inability to model programs with infinite domains 
(like integers) and modeling concurrency. Having an infinite automaton to han- 
dle the former limitation leads to undecidability [20]. An approach to tackle 
this has been to abstract infinite-state programs to Boolean programs using, 
for instance, predicate abstraction. The model is repeatedly refining, as needed, 
like in the SLAM tool [7], SATABS [12] etc. For concurrency, a natural way to 
extend this model would be to consider pushdown automata with multiple 
stacks, which has seen significant interest in the recent past [2,3,9,15]. This is 
the main object of study in this paper which we call multi-pushdown systems. 

The difficulty of model-checking multi-pushdown systems. A pushdown system 
with even two stacks and with a singleton stack alphabet is sufficient to model a 
Turing machine (see e.g. this classical result [20]), hence making the problem of 
even testing reachability undecidable. This is not a unique situation and similar 
issues exists with other abstractions, like model-checking problems on counter 
systems; other models of multithreaded programs are also known to admit un- 
decidable verification problems. That is why subclasses of runs have been intro- 
duced as well as problems related to the search for 'bounded runs' that may sat- 
isfy a desirable or undesirable property. For instance, reversal-bounded counter 
automata have effectively semilinear reachability sets [18], context-bounded 
model-checking (bound on the number of context switches) [21] (see also the 
more recent work dealing with complexity issues in [15]), and of course boun- 
ded model-checking (BMC) (bound on the distance of the reached positions) [8]. 

Motivations. In [21], NP-completeness of the reachability problem restricted to 
context-bounded runs was shown. This was also implemented in a tool called 
ZINC to verify safety properties and find bugs in actual programs in few con- 
text switches, showing that feasibility of the approach. Since, there has been 
significant work on considering weaker restrictions and other related prob- 
lems. This paper focuses on the study of model-checking problems for multi- 
pushdown systems based on LTL-like dialects, naturally allowing to express 
liveness properties, when some bounds are fixed. Though decidability of these 
problems has been established in some recent works (as a consequence of con- 
sidering more expressive logics like monadic second-order logic), we aim to 
provide optimal computational complexity analysis for LTL-like properties. In 
particular, we consider a LTL-like specification language based on CaRet [1], 
which strikes to us as fitting given the interest of the model in program verifi- 
cation. 

Content. We consider the logic Multi-CaRet, an extension of CaRet (which it- 
self is a generalization of LTL) to be able to reason about runs of concurrent re- 
cursive programs. Next, we study the model-checking problem of Multi-CaRet 
formulae over multi-pushdown systems restricted to fc -bounded runs and give 
an EXPTIME upper bound, when k is encoded in unary. Since this problem is 
a generalization of LTL model checking pushdown systems which is known 
to be ExpTlME-hard, this is an optimal result. Viewed as an extension of [11], 
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we consider both a more general model and a more general logic, while still 
preserving the complexity bounds. At a technical level, we focus on combining 
several approaches in order to achieve optimal complexity bounds. In partic- 
ular, we combine the approach taken in CaRet model-checking of recursive 
state machines machines (equivalent to pushdown systems in expressiveness, 
but more explicitly model recursive programs) [1], ideas from reachability anal- 
ysis of multi-pushdown systems [22] and the techniques introduced in work on 
pushdown systems in [11,22]. Also, we go further and consider less restrictive 
notions of boundedness that have been considered in the literature, and obtain 
optimal or near-optimal complexity bounds for these. To summarize the results 
in the paper, 

- Multi-CaRet model-checking over multi-pushdown systems with fc-context 
bounded runs [21] is ExpTlME-complete when k is encoded in unary and 
it is in 2EXPTIME if the encoding is binary. The value k is given as an input 
and not as a parameter of the problem, which makes a substantial difference 
when complexity analysis is provided. 

- Multi-CaRet model-checking over multi-pushdown systems with /c-phase 
bounded runs [24] is in 2ExpTime when k encoded in unary, and it is in 
3-ExpTlME if the encoding is binary. Note that this problem can be encoded 
from developments in [9] but the ExpTime upper bound from [9] applies 
when the number of phases is fixed. Otherwise, one gets an 3ExpTime up- 
per bound if k is encoded in binary. 

- Similarly, Multi-CaRet model-checking over ordered multi-pushdown sys- 
tems [4] is in 2EXPTIME when k encoded in unary, and it is in 3EXPTIME if 
the encoding is binary. This is the best we can hope for since by [3], reach- 
ability problem, existence of infinite runs with Biichi acceptance condition 
and LTL model-checking are decidable for ordered multi-pushdown sys- 
tems, the latter problem being 2ETlME-complete. Global model-checking is 
also decidable [3, Theorem 12]. 

In [19], decidability results can be found for several classes of automata with 
auxiliary storage based on MSO property. This includes multi-pushdown sys- 
tems with bounded context and ordered multi-pushdown systems. This might 
also include problems with temporal logics as stated in [19]. Another work that 
is worth looking at is the one on games on multi-stack systems [23] where parity 
games on bounded multi-stack systems are shown decidable thanks to a new 
proof for the decidability of the emptiness problem. Though, the complexity is 
non-elementary in the size of the formula, arrived at by using celebrated Cour- 
celle's Theorem [13], which has parameterized complexity non-elementary, the 
parameter being the size of formula plus the tree-width. Non-elementary lower 
bounds can be also reached with branching-time logics, see e.g. [5]. 

Comparison with two recent works. In this paper, we generalize the automata- 
based approach for LTL to a linear-time temporal logic for multi-pushdown 
systems. A similar approach have been also followed in the recent works [6,26]. 
Let us explain below the main differences with the present work. 
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In [6], LTL model-checking on multi-pushdown systems when runs are k- 
scope-bounded is shown ExpTlME-complete. Scope-boundedness strictly ex- 
tends context-bound edness and therefore Corollary 13(1) and [6, Theorem 7] are 
closely related even though Corollary 13(1) deals with Multi-CaRet and it takes 
into account only context-boundedness. Moreover, we are able to deal with reg- 
ular constraints on stack contents while keeping the optimal complexity upper 
bound. By contrast, [26] introduces an extension of CaRet that is identical to 
the variant we consider in our paper. Again, [26] deals with scope-boundedness 
and Corollary 13(1) and [26, Theorem 6] are closely related even though Corol- 
lary 13(1) takes into account only context-boundedness, which leads to a slightly 
different result. The upper bound for OBMC from Corollary 14 is a relatively 
simple consequence of the way we can reduce model-checking to repeated 
reachability with generalized Biichi acceptance conditions. Similarly, [26, The- 
orem 7] provides an optimal complexity upper bound for ordered multiply 
nested words, whence Corollary 14 and [26, Theorem 7] are also related. 

As a concluding remark, the work presented in this note is partly subsumed 
by the recent developments presented in [6,26]. Nevertheless, the upper bounds 
in Corollary 12(1) and in Corollary 13(1) are original results apart from the way 
we build the synchronized product in Section 4. Moreover, we believe that our 
developments shed some useful light on technical issues. For instance, we deal 
with context-boundedness, phase-boundedness and ordered multi-pushdown 
systems uniformly while providing in several cases optimal complexity up- 
per bounds. Our complexity analysis for context-boundedness relies on [11,22] 
whereas for ordered multi-pushdown systems it relies on [3] (for instance, this 
contrasts with developments from [26, Section 5]). Finally, our construction al- 
lows us to add regularity constraints, that are known to go beyond first-order 
language, by a simple adaptation of the case for Multi-CaRet. 

2 Preliminaries 

We write [N] to denote the set {1,2,..., N}. We also use a boldface as a short- 
hand for elements indexed by [N], for e.g., a = {a, | i G [N]}. For an alphabet 
S, S* represents the set of finite words over S, S + the set of finite non-empty 
words over S. For a finite word w = a\ . . . a% over S, we write \w\ to denote its 
length k. For < i < \w\, w(i) represents the (i + l)-th letter of the word, here 
a, + i. We use card(X) to denote the number of elements of a finite set X. 

2.1 Multi-Pushdown Systems 

In this section, we first define multi-pushdown systems and then present a sim- 
ple reduction into multi-pushdown systems with global states in which the next 
active stack can be read. There exists a correspondence in terms of traces (which 
is what we need for the forthcoming model-checking problems). 

Pushdown systems provide a natural execution model for programs with 
recursion. A generalization with multiple stacks allows us to model threads. 
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The formal model is described below, which we will call multi-pushdown sys- 
tems. 

Definition 1. A multi-pushdown system is a tuple of the form 

P = (G,N,T,A 1 ,...,A N ), 

for some N > 1 such that: 

- G is a non-empty finite set of global states, 

- r is the finite stack alphabet containing the distinguished letter _L, 

- for every s e [N], A s is the transition relation acting on the s-th stack where A s 
is a relation included in G x r x G x 2l(T) with 2l(T) defined as 

2t(T) ^ |J{call(a),return(a),internal(a)} 

aer 

Elements of the set 2l(-T) are to be thought of as actions modifying the stack with 
alphabet r. 

A configuration c of the multi-pushdown system P is the global state along with 
contents of the N stacks, i.e. c belongs to G x (r*) N . For every s e [N], we 
write — >- s to denote the one-step relation with respect to the s-th stack. Given two 
configurations c = (g, w\, . . . , w s a, . . . wn) and d — (g',w\, . . . , w' s , . . . , wn), 
c —)- s c' 1$ (g, a, g', a(b)) e A s where a(b) reflects the change in the stack en- 
forcing one of the conditions below: 

- w s = w' s , a = return and a = b, 

- w' s = w s b and a = internal, 

- w' s = w s ab and a = call. 

The letter _L from the stack alphabet plays a special role; indeed the initial con- 
tent of each stack is precisely _L. Moreover, _L cannot be pushed, popped or 
replaced by any other symbol. This is a standard way to constrain the transi- 
tion relations and to check for 'emptiness' of the stack (i.e. equal to _L). We write 
to denote the relation (U s g[Ar] ~^s)- Note that given a configuration c, there 
may exist Ci, c 2 and i\ ^ 12 € [N] such that c — ^ c\ and c c 2 , which is the 
fundamental property to consider such models as adequate for modeling con- 
currency. An infinite run is an oj-sequence of configurations Cq, C\, C2, . . . such 
that for every i > 0, we have q — >p c i+1 . If q — > s c i+1 , then we say that for that 
step, the s-th stack is active. Similar notions can be defined for finite runs. As 
usual, we write c A d whenever there is a finite run from c to d . A standard 
problem on multi-pushdown systems is the state reachability problem defined 
below: 

input: (P, c, g) where P is a multi-pushdown system, c is a configuration of P 

and g a global state of P. 
question: is there a finite run from c to some configuration d such that the 

global state of d is gl 
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An enhanced multi-pushdown system is a multi-pushdown system of the 
form P = (G x [N] , N, T, A t , . . . , A N ) such that for every s e [N], A s C (G x 
{s}) x r x (G x [N]) x 2l(-T). In such multi-pushdown systems, the global state 
contains enough information to determine the next active stack. Observe that 
the way the one-step relation is defined, we do not necessarily need to carry 
this information as part of the finite control (see Lemma 2). We do that in order 
to enable us to assert about active stack in our logic (see Section 3), and for 
technical convenience. 

Lemma 2. Given a multi-pushdown system P — (G, N, r, A), one can construct in 
polynomial time an enhanced multi-pushdown system P' = (G x [N] , N, r, A') such 
that 

(I) For every infinite run of P of the form 

C ~~^SQ C l ~~ *Sl ■ ■ ' c t ~^s t c t+l ' ' ' 

there exists an infinite run c' —> so c[ — > Sl ■ ■ ■ c' t — > St c' t+1 ■ ■ ■ of P' such that (*) 
for t > 0, ifc t = (g t , then c' t = ((g t ,s t ) , 

(II) Similarly, for every infinite run of P' of the form 

c ~^s C 1 —$- sl ■ ■ ■ C t — ¥ St C t+1 ■ ■ ■ 

there exists an infinite run cq — > So c\ —t ai ■ ■ ■ c t — > St c *+i ■ * ' pfP such that (*). 

The proof is by an easy verification. In the sequel, without any loss of gen- 
erality, we shall consider enhanced multi-pushdown systems only since all the 
properties that can be expressed in our logical languages are linear-time prop- 
erties. For instance, there is a logarithmic-space reduction from the state reach- 
ability problem to its restriction to enhanced multi-pushdown systems. 

2.2 Standard Restrictions on Multi-Pushdown Systems 

State reachability problem is known to be undecidable by a simple reduction 
from the non-emptiness problem for intersection of context-free grammars. This 
has motivated works on the definition of restrictions on runs so that decidabil- 
ity can be regained (for state reachability problem but also for model-checking 
problems). We recall below three standard notions for boundedness; other no- 
tions can be found in [25,14]. Definitions are provided for infinite runs but they 
can be easily adapted to finite runs too. 

In the notion of fc-boundedness defined below, a phase is understood as a 
sub-run such that a single stack is active (see e.g. [21]). 

Definition 3. Let p = c — > Sf) c\ — > Sl ■ ■ ■ c t — > St c *+i ' • ' be an infinite run and 
k > 0. We say that p is fc-bounded if there exist positions h < i% < ... < ik-x suc h 
that s t — s t+ ifor all t e N \ {i\ . . . ik-i}- 

In the notion of fc-phase-boundedness defined below, a phase is understood 
as a sub-run such that return actions are performed on a single stack, see e.g. [24]. 
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Definition 4. Let p — c — > So °i ~^s x ■ ■ ■ c t — > St c t+i ••■ be an infinite run and 
k > 0. We say that p is fc -phase-bounded if there is a partition Yi,...,Y a ofN with 
a < k such that for every j € [1, a] there is s e [N] such that for every i e Yj, if a 
return action is performed from Ci to Cj+i, then it is done on the sth stack. 

In the notion of order-boundedness defined below, the stacks are linearly 
ordered and a return action on a stack can only be performed if the smallest 
stacks are empty see e.g. [4]. 

Definition 5. Let Pbea multi-pushdown system and ([N] ,<) be a (finite) total 
ordering of the stacks. Let p = c — > So c\ — > ai • • • c t — > St c t +\ ■ ■ ■ bean infinite run. 
We say that p is ^-bounded if for every i e N that a return is performed on the s-th 
stack, all the stacks strictly smaller than s with respect to ^ are empty. 

3 A Rich Specification Language for Multi-Pushdown 
Systems: Multi-CaRet 

Below, we introduce Multi-CaRet, an extension of the logic CaRet proposed 
in [1], and dedicated to runs of multi-pushdown systems (instead of for runs 
of recursive state machines as done in [1]). For instance, the logical language 
can state that a stack is active. Moreover, the temporal operators are sometimes 
parameterized by a stack; for instance, the abstract next binary relation can be 
naturally extended to the case when several stacks are present. Note that the 
logic presented below can be easily seen as a fragment of monadic second-order 
logic and therefore the decidability results from [19,9] apply to the forthcom- 
ing model-checking problems. However, our definition makes a compromise 
between a language of linear-time temporal properties that extends the logic 
from [1] and the most expressive logic for which our model-checking prob- 
lems are known to be decidable. Indeed, we aim at proposing optimal complex- 
ity characterizations. The logic presented below is identical the one presented 
in [26] except for the presence of regular constraints. 

3.1 Definition 

Models of Multi-CaRet are infinite runs of multi-pushdown systems. For each 
(enhanced) multi-pushdown system P = (G x [N] , N, r, Al, . ■ • , An), w e de- 
fine the fragment Multi-CaRet(P) of CaRet that uses syntactic resources from 
P (namely G and [N]). The full language Multi-CaRet is defined as the union 
of all the sub-languages Multi-CaRet(F). Formulae of Multi-CaRet(P) are de- 
fined according to the grammar below: 

(j) := g | s | call | return | internal 

| X<f> | | X 3 J | ^ | | 0U C S 

where s € [N], g £ G. Models of Multi-CaRet(P) formulae are w-sequences in 
(G x [N] x (r*) N ) , which can be obviously understood as infinite runs of P. 
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Semantics. Given an infinite run p = c ci . . . c t . . . with c t = (g t , s t , w{, . . . , w^) 
for every position t e N, the satisfaction relation p, t |= <j) with <f> in Multi- 
CaRet(P) is defined inductively as follows (successor relations are defined just 
below): 

P, 1 1= g iff g t = g 

p,t\= s iff s t = s 

p,t\=a iff (a, Iwlf 1 ] - \wl t \) € {(call, 1) , (internal, 0) , (return, -1)} 

p, t \= fa V fa iff p, t \= fa or p, t \= fa 

p, 1 1= ^ iff p, t Y= 4> 

p, t |= X(f> iff p, sucCp(t) |= 

p, t |= 0iU0 2 iff there is a sequence of positions io = t, i\ . . . , ik, s.t. 

for j < k, = s\icc p (ij), p, ij \= fa and p, i k \= fa 

For b e {a,c} and s e [N]: 

p, t |= X b s 4> iff sucCp ,;s (t) is defined and p, succ b p s (t) \= 4> 

p, t |= faU^fa iff there exists a sequence of positions t < i < ii 

■ ■ ■ < ik, where i smallest such with s l0 = s, for 
j < k, = succ"' 5 (ij), p, ij \= fa and p, i k \= fa 

p, t |= faU c s fa iff there exists a sequence of positions t > i > i x 

■ ■ ■ > ik, where io greatest such with s io = s, for 
j < k, i J+ i = succ^' s (ij), p, ij \= fa and p, i k \= fa 



The above definition for \= distinguishes three successor relations: global 
successor relation, the abstract successor relation that jumps to the first future 
position after a return action at the same level, if any, and the caller successor 
relation that jumps to the latest past position before a call action at the same 
level, if any. Here are the formal definitions: 

- succp(t) = t + 1 for every t e N (standard). 

- succ p ' s (i) is defined below whenever s is active at position t: 



1. If \wl+\ 
s t ' = s and 

2. If |to* +1 | = 



w 



St> 

3. If \w 



t+i 



1 (call), then succ^ s (t) is the smallest t' > t such that 
= | w\ | . If there is no such t' then succ p ' s it) is undefined. 

wl | (internal), then succ p ' s (i) is the smallest t' > t such that 
(first position when sth stack is active). 



1 (return), then succ p ' s (£) is undefined. 



- succ p ' s (t) (caller of s-th stack): largest t' < t such that s t > = s and 
\wl | — 1. If such a t' does not exist, then succ p ' s (t) is undefined. 
In the sequel, we write p \= <j> whenever p, |= (f>. 



w 
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Adding regularity constraints. Regularity constraints are the most natural and 
simple constraints on stack contents and still such properties are not always 
expressible in first-order logic (or equivalently in plain LTL). Such constraints 
have a second-order flavour thanks to the close relationship between MSO and 
regular languages. We define Multi-CaRet re9 as the extension of Multi-CaRet 
in which regularity constraints on stack contents can be expressed. Logic Multi- 
CaRet reff is defined from Multi-CaRet by adding atomic formulae of the form 
in(s, A) where s is a stack identifier and A is a finite-state automaton over the 
stack alphabet r. The satisfaction relation |= is extended accordingly: p, t \= 

in(s,.4) « i»j e L(-4) where L(A) is the set of finite words accepted by A. 
Note that regularity constraints can be expressed on each stack. Even though 
most of the developments in the paper are done with Multi-CaRet, we shall 
see that all our complexity upper bounds still hold true with Multi-CaRet re9 . 
This is despite the fact that these new constraints have a second-order flavour. 

Another set of temporal operators. Temporal operators X" and U" in Multi-CaRet 
not only are abstract operators that refer to future positions reached after re- 
turns but also they are parameterized by stacks. We made the choice to present 
these operators for their expressive power but also because they are quite handy 
in forthcoming technical developments. Below, we briefly present the alterna- 
tive operators X s , X a and U a and we show how they are related to the operators 
from Multi-CaRet. 

- p, t \= X s (j> there is t' > t such that s t > = s and for the smallest t' , we 
have p, t' |= <f>. So, X s (f> states that the next position when the stack s is active 
(if any), <j> holds true. 

- p,t \= X a (f) U succ^ St (t) is defined and p, succ£< St (t) |= <j>. So, X a 4> states 
that next time the current stack performs a return action, <j> holds true. 

- p, t \= cf>iU a (f>2 & there exists a sequence of positions t = i < i x ■ ■ ■ < i k 
where for j < k, — succ^ s * (ij), p, ij |= 0i and p, i k |= (f> 2 . 

Let us write s to denote the formula (disjunction of atomic formulae) stating 
that the current active stack is s. Note that (= denotes logical equivalence): 

X s 0^(- S U( S A0)) X> = (/\(s =► X»0)) ^U^ 2 = (/\( S ^^U^ 2 )) 

s s 

Similarly, we have the following equivalences: 

= (-.s => X s 0)A(s => X a cj>) ^U^ 2 = (-.s => X s (0 1 U a 2 ))A( S => 0!U a 2 ) 

Hence, it is worth noting that the choice we made about the set of primitive 
operators, does not strictly decrease the expressive power but we shall see that 
the operators from Multi-CaRet happen to be extremely helpful in forthcoming 
technicalities. 
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3.2 Decision Problems 

Let us introduce the model-checking problems considered in the paper. Model- 
checking problem for multi -pushdown systems (MC): 

input: (P,go,4>) where P is a multi-pushdown system P, go gives an initial 

configuration (g , (JL)^), is a formula in Multi-CaRet(P). 
question: Is there an infinite run p from [g, (J-)^) such that p\= <jp. 

We know that the model-checking problem for multi-pushdown systems is 
undecidable whereas its restriction to a single stack is ExpTlME-complete [1]. 
Now, let us turn to bounded model-checking problems. Bounded model-checking 
problem for multi-pushdown systems (BMC): 

input: (P, go, cf>, k) where P is a multi-pushdown system P, go gives an initial 
configuration (go, (JL) ), is a formula in Multi-CaRet(P) and k E N is a 
natural number thought of as a bound. 

question: Is there an infinite k -bounded run p from (g, (J-)^) such that p (= (pi 

Note that k e N is an input of the problem and not a parameter of BMC. This 
makes a significant difference for complexity since usually complexity can in- 
crease when passing from being a constant to being an input. 

Phase-bounded model-checking problem (PBMC) is defined similarly by 
replacing in the above definition 'A: -bounded run' by 'fc-phase-bounded run'. 
Similarly we can obtain a definition with order-boundedness. Order-bounded 
model-checking problem for multi-pushdown systems (OBMC): 

input: (P,go,4> 7 ^) where P is a multi-pushdown system P, g n gives an ini- 
tial configuration (g , (±.) N ), is a formula in Multi-CaRet(P) and X= 
{[N] , <) is a total ordering of the stacks. 

question: Is there an infinite ^-bounded run p from [g, (J-)^) such that p (= 0? 

We present below the problem of repeated reachability of multi-pushdown 
systems, denoted REP. In Section 4, we present how MC can be reduced to REP 
while obtaining optimal complexity upper bounds. 

input: (P, Io, J-) where P is a multi-pushdown system, Jo is a subset of global 
states of P denoting the initial states, and J 7 is a collection of Biichi accep- 
tance sets, 

question: Is there an infinite run p from some (g , (-L) W ) with g e I Q such that 
for each F G T there exists a gj e F that is repeated infinitely often? 

We will refer to problem restricted to fc-bounded runs by BREP. Obviously, the 
variants with other notions of boundedness can be defined too. 

Finally, the simplified version of Multi-CaRet consists of the restriction of 
Multi-CaRet in which atomic formulae are of the form (g, s) when enhanced 
multi-pushdown systems are involved. Logarithmic-space reductions exist be- 
tween the full problems and their restrictions to the simplified languages. 



10 



Lemma 6. For every problem V in { MC, BMC, PBMC, OBMC }, there is a logarithmic- 
space reduction to V restricted to formulae from the simplified language. 

The proof is by an easy verification and its very idea consists in adding to global 
states information about the next active stack and about the type of action. In 
the sequel, without any loss of generality we restrict ourselves to the simplified 
languages. 

Theorem 7. [19] BMC, PBMC and OBMC are decidable. 

Decidability proof from [19] is very general and partly relies on Courcelle's 
Theorem. However, it provides non-elementary complexity upper bounds. As 
a main result of the paper, we shall show that BMC is ExpTlME-complete when 
k is encoded in unary and in 2EXPTIME when k is encoded in binary. 

4 From Model-Checking to Repeated Reachability 

Herein, we reduce the problem of model checking (MC) to the problem of 
repeated reachability (REP) while noting complexity features that are helpful 
later on (Theorem 10). This generalizes the reduction from LTL model-checking 
for finite-state systems into non-emptiness for generalized Biichi automata (see 
e.g. [27]), similarly to the approach followed in [26]; not only we have to tai- 
lor the reduction to Multi-CaRet and to multi-pushdown systems but also we 
aim at getting tight complexity bounds afterwards. The instance of the problem 
MC that we have is a multi-pushdown system P, a formula <f> and initial state 
(go,io). For the instance of REP we will reduce to, we will denote the multi- 
pushdown system by P, the set of acceptance sets by T and set of initial states 
by 7 - 

4.1 Augmented Runs 

Let p be a run of the multi-pushdown system P = (G x [N] ,N,T,A) with 
p € (G x [N] x (r*) N ) u . The multi-pushdown system P is built in such a way 
that its runs correspond exactly to runs from P but augmented with pieces 
of information related to the satisfaction of subformulae (taken from the clo- 
sure set C\(4>) elaborated on shortly), whether a stack is dead or not (using a 
tag from {alive, dead}) and whether the current call will ever be returned or 
not (using a tag from {noreturn, willreturn}). These additional tags will suffice 
to reduce the existence of a run satisfying <fi to the existence of a run satis- 
fying a generalized Biichi condition. First, we define from p an "augmented 

run" j(p) which is an infinite sequence from x [N] x (r*) N ^j where G = 

G x V(Cl{(f>)) N x {noreturn, willreturn}" x {alive, dead}" and f = r x V{Cl((/>)) x 
{noreturn, willreturn}. By definition, an augmented run is simply an w-sequence 
but it remains to check that indeed, it will be also a run of the new system. We 
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will see that G x [N] is the set of global states of P and _T is the stack alphabet 
of P. 

Before defining 7( ) which maps runs to augmented runs, let us introduce 
the standard notion for closure but slightly tailored to our needs. Note that each 
global state is partially made of sets of formulas that can be viewed as obliga- 
tions for the future. In order to consider only runs satisfying a formula <fi, it is 
sufficient to require that at the first position, obligations include the satisfaction 
of cf>. Obligations can be enforced by the transition relation but also by the satis- 
faction of Biichi acceptance conditions. It is our intention that the set of runs of 
P satisfying such generalized Biichi acceptance condition correspond exactly to 
the set of augmented runs obtained from runs of P. Not only the new system 
simulates all the runs of the original system but it also keeps track of which 
subformulas holds true at each position. So, the projection of j(p) over G x [N] 
and r (i.e, the operation of getting rid of the tags) correspond exactly to p. 

With this understanding of our intentions, we define obligations as a tuple 
of sets of formulas indexed by the stacks; each stack comes with a finite set 
of formulas. These formulas are obtained from the closure of <f>, defined as the 
set of subformulas of <fi enriched with formulas for the until formulas. This is 
similar to what is usually done for LTL and is just a variant of Fischer-Ladner 
closure [17]. Given a formula <f>, its closure, denoted CIO), is the smallest set 
that contains <fr, the elements of G x [N], and satisfies the following properties 
(b G {a, c} and s £ [N]): 

- If -4? £ CIO) or Xft G CIO) or X b s ft G CIO) then ft e CIO)- 

- If 0' V ft' G CIO), then ft, ft' € CIO)- 

- If ftUft' G CIO), then ft, ft 1 , and X(ftUft') are in CIO)- 

- If ftU b s ft' £ CIO), then ft, ft', and X b s {ftUft') are in CIO). 

- if ft £ CIO) and <t>' in not of the form then e ClO). 

Note that the number of formulas in CIO) is linear in the size of cf> and P. An 
atom of 4>, is a set A C CIO) that satisfies the following properties: 

- For -nft £ CIO), ft £ A iff -,ft £ A. 

- For ft V ft' £ ClO), ft V ft' £ A iff {ft £ A or ft' £ A). 

- For ftVft' £ CIO), ftVft' £ A iff ft' £ A or (ft £ A and XOW) G A). 

- A contains exactly one element from G x [N] . 

Let Atoms (ft) denote the set of atoms of ft along with empty set (used as special 
atom, use will become clear later). Note that there are 2°^^ atoms of ft 

We write ((g*, s*), to*) to denote the t-th configuration of p. We define the 

augmented run ~/(p) so that its t-th configuration is of the form (^(g*, s*) ; w'J 

with g l = (g t ,A t ,r t ,d t ) and w j = (to*- , uj , Uj ) for every j in [N] . We say that the 
stack j is active at time tii s 1 = j. 

Then, we define dead-alive tag to be dead if and only if the stack is not active 
at or after the corresponding position. 

Vt > 0, j £ [N] : (4 = dead) U (W > t, / ^ j). (1) 
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The idea of the closure as we discussed is to maintain the set of subformulas 
that hold true at each step. We will expect it to be the empty set if the stack is 
dead. 

Vi >0,je [N] with d\ = alive, ip £ Cl(»: 

ip £ A) U p,t' \=ip where t' is the least t' > t with / = j. (2) 
Vi >0,je [N] with 4 = dead: A] = 0. (3) 

As for willreturn-noreturn tag, it reflects whether a call action has a "match- 
ing" return. This is similar to the {oo, ret} tags in [1]. This may be done by 
defining tag to be noreturn if stack will never become smaller than what it is 
now. 



Vi > 0, j £ [N] with d] = alive: 



(r* = noreturn) U (Vi' > i, 



(4) 



Finally, the formulas and willreturn-noreturn tag on the stack are defined to 
be what they were in the global state at the time when the corresponding letter 
was pushed on the stack. 

Vi >0,j£ [N] : v) = A} Af . . . A) 1 and u) = d] 1 df . . . d) , 

where for k in [/]: tk is largest ife < i such that |w* fc | = fc — 1. (5) 

We observe below properties about the way tags are placed in ~f(p). Later on, 
we shall establish that these conditions are sufficient to guarantee that any se- 
quence satisfying these conditions correspond to a run of P whose augmented 
run is exactly the sequence. Here are properties of j(p) that are easy to check 
using the definition of 7( ) and the satisfaction relation |=. 

1. For all i > and j € [N], d] = alive if j = s*. 

2. For all t > and j e [N] \ {s*}, d] +1 = d) , rf x = r) and Af 1 = A) (only 
tags related to the active stack may change). 

3. For all i > and j £ [N], {ip £ Cl(^) : p, t \= tp} is an atom and therefore for 
all i > and j e [N], if dh = alive then A* is an atom. 

4. For all t > and j € [N], {g\ s*) £ A\ t . 

5. For all t > 0, if the (i + l)-th action on the stack is a call and r* t = willreturn, 
then r^t 1 = willreturn and willreturn is the top symbol of w^f . Moreover, 
Al t is the top symbol of w*^ 1 . 

6. For all £ > 0, if the (i + l)-th action on the stack is a return then r* t = 
willreturn and r l t 1 is equal to the top symbol of w' t . Moreover, X" t A C A 1 ^ 1 
where A is the top symbol of u* ( . As a notational convenience, we denote 
the next formulas in a set A, using XA. In other words, XA = {ip \ Xtp £ A}, 
X\A = {tp | X\iP £ A] etc. 

7. For all t > 0, XA* C Ait 1 . 
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8. For all t > 0, if the (t + l)-th action on the stack is internal then r*^ 1 = r* t . 
Moreover, XJ A*, C A^t 1 and X£ A*, = X£ t A^t 1 . 

9. For all f > 0, the set X" 4 AK is empty if one of the conditions below is met: 

(a) the (t + l)-th action on the stack is a call and r* t = noreturn, 

(b) the (t + l)-th action on the stack is a return, 

(c) d'+ x = dead. 

10. For all t > 0, if the (t + l)-th action on the stack is a call, then for every 

x°, V e (31(0), x^ g A*+\ iff 41 g A* t . 

11. For allt > and j G [A 7 ], if ^ G C1(0) with ^ = (pi^ffa, then: 

(a) if i = j, then -0 G A* iff ^ G A] or (0 2 G A*- and Xty G A*), 

(b) if i ^ j, then ip G A} iff V G A*. 

12. For allt > and j G [A], if = dead then A* = 0. 

Properties stated above are local since they involve at most two successive con- 
figurations. It is also possible to observe Buchi conditions that involve the infi- 
nite part of 7(/o). 

1. As standard until formulas in LTL, for every </>iU02 G G\(<p), infinitely often 
in 7(p) there is a global state ( (a*, s^j , w*^j with g l = (<?*, A*,r*, d*) such 

that either ^2 G A*, or 0iU0 2 ^ A* t . 

2. There is a similar property with abstract until: for every </>i U°02 G C1(0), in- 
finitely often in 7(p) there is a state f uj 1 * , s*^ , lo*^ with = (g l , A*, r*, d*) 
such that s = s*, r* = noreturn, and <p2 G A\ or 0i 11^02 ^ A*. 

3. For every s G [AT], infinitely often in 7(p) there is a global state ^ (^g* , s* J , w 

withg* = (<?*, A*, r*, d*) such that either s' = sord* = dead. Moreover, note 
that d* = dead implies d' +1 = dead. 

4. For every s G [A 7 ], infinitely often in 7(p) there is a global state ( f , s* J , t 

with g* = (<?*, A*, r*, d ) such that either d^ = dead or (s* = s and d* 
noreturn). 



4.2 Synchronized Product 

Let us define the multi-pushdown system P as (G x [A 7 "] , A 7 , _T, A) with 

- G = G x Atoms(0) JV x {noreturn, willreturn} W x {alive, dead}^, 

- r = r x Atoms(0) x {noreturn, willreturn}, 

- each transition relation A s is defined such that (g, s,a, g', s' , a(a')) is in A s 
■§> the conditions from Figure 4.2. are satisfied. 

These conditions are actually the syntactic counterparts of the semanti- 
cal properties stated a bit earlier. To refer to elements in the set we use g 
to denote a state in original multi-pushdown system, Aj for atoms, Ti for 
return/no-return tags, d, for dead/ alive tags, ag to denote stack letter from 
original multi-pushdown system, a a for stack atom, a r for return tag saved 
on the stack. We use unprimed version to denote state and letter on top 
of stack before the transition is taken and primed ones for after. Finally, o 
denotes the action to perform on the stack, one of {call, internal, return}. 
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1. ((g,s),a s ,(g',s'),a{a' s )) G A s 

2. d s = alive 

3. Vj £ s, dj = d'j 

4. If o = call, then r s — willreturn => r' s = 
willreturn and a' r — r s 

5. If a = internal, then r' s = r a and a' r = 

a r 

6. If a = return, then r s = willreturn and 

r' 3 = a r 

7. Vj + s, rj = 

8. (g, s) G A s 

9. Vj / s, A,- = 

10. XA S C A' s , (= A 3 ,) 

11. If o = call, then = A s 

12. If o = internal, then X s A a C A' s and 

OA = a A- 



13. If o = return, then X s cia C A' s 

14. Further, X S A S = if 

(a) a = call and r s = noreturn, or 

(b) o = return, or 

(c) <£, = dead 

15. If o = call, X C S A' S , = (X c s Atoms(0)) n 
A s 

16. If o = internal, then X S A 3 , = X S A S . 

17. Let 6 G {a,c}. Let V G C1(0), ip = 
0i U Then, </> G A s iff either cp 2 G 
A s or (0i G A s and X\ip G A s ). 

18. Let b G {a,c}. Let V G C1(0), V = 
0iUj0 2 with j / s. Then V € A s iff 

19. Vj: If ^ = dead, then A,- = and 
Tj — noreturn. 



Fig. 1. Conditions for the transition relation A s . We recall that XA — {ip \ Xip G A}, 

X\A = {ip | xiv e A}. 

The set T is defined by the following sets of accepting states: 

(a) For each until formula ip = (piUfo € Cl(</>), we define 

Fl = {(g, S )\4> 2 eA s or^AJ. 

(b) For each abstract-until formula ip = 0iU^ 2 € Cl(</>), we define 

^| = {(?! s ) I r « = noreturn and (</> 2 £ i s or ^ A s )}. 

(c) For each j e [N], we define 

if = {(?,«) | j = *}U {(?,«) | d,- = dead}. 

(d) For each j e [iV], we define 

F j = {(?, s ) I = dead } U {(<?, s) | j = s, d s = noreturn}. 

Transition relations in P and the acceptance conditions in T mimic syntac- 
tically the semantical properties satisfied by the augmented runs defined from 
run of P. That is why, the correctness lemma stated below follows from the 
observation about 7( ) earlier. 

Lemma 8. Let pbe a run of P. Then, j(p) is a run of P such that for every F e T , 
there is a global state in F that is repeated infinitely often. 
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It remains to show that any accepting run corresponds to a run of the orig- 
inal system, we show that this run in fact the run obtained by "forgetting" the 
augmentations. 

Lemma 9. Let pbe a run of P satisfying the acceptance condition T. Then, p is the 
augmented run corresponding to TI(p), which can be shown to be a run of P: 

7(770?)) = p 

From Lemmas 8 and 9 the soundness and completeness of the reduction 
follows if we define the set of new initial states 7 for the REP problem as states 
with initial state (go, io) for the MC problem and <f> present in the part tracking 
formulae that hold true: 

= {((g ,A,d,r),i ) \ <j> e A io } 

This gives an exponential-time reduction from MC to REP as well as with 
their bounded variants. 

Theorem 10. Let Pbe a multi-pushdown system with initial configuration (g, (_L) N ) 
and <j)be a Multi-C aRet formula. Let P be the multi-pushdown system built from P, 
g and 4>, I be the associated set of initial states and T be the acceptance condition. 

(I) If pi is a run of P from (g, (~L) N ) then p 2 = 7(pi) is a run of P satisfying T and 
(A)-(C) hold true. 

(II) If p2 is a run of P from some initial configuration with global state in 7 and 
satisfying T, then 77 (p 2 ) is a run of P and (A)-(C) hold true too. 

Conditions (A)-(C) are defined as follows: 

(A) pi is k-bounded iff p 2 is k-bounded, for all k > 0; 

(B) pi is k-phase-bounded iff ' p 2 is k-phase-bounded, for all k > 0; 

(C) pi is ^.-bounded iff p 2 is ^.-bounded, for all total orderings of the stacks 
([#].<)• 

Note that at each position, p x and p 2 work on the same stack and perform the 
same type of action (call, return, internal move), possibly with slightly different 
letters. This is sufficient to guarantee the satisfaction of the conditions (A)-(C). 
In the rest of this section we prove Lemma 9. 

Notation. Let p be a run of P satisfying the acceptance condition T . First of 
all, we observe that p = 77 (p) is indeed a run of P because of constraint 1 for 
the transition relation A Thus, we may conveniently use the same notation as 
earlier to denote configurations: ((g t ,s t ),w t ) for t-th configuration of p, and 

(^(g f , s*), for p with g l = (g*, A 1 , d*, r*) and tuj = (Wp «j, «'•) for every j in 
[N]. 
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Proof strategy. By a case-by-case analysis, we will show that p matches each 
augmentation of p as would be obtained by (l)-(6). We will show this first for 
contents of the stack, then for the two kinds of tags. The order will be important, 
as for some proofs we would need the assumption that the other parts of the 
run match. Eventually, we will show the case for atoms. From the technical 
aspect, the case for correctness of parameterized-abstract-until we introduced 
is the most interesting, for which we will provide details. The other cases, we 
shall just point to the relevant ingredients in the construction, and leave the 
details to the reader. 

Case 1: Stack content differs. Let t denote the first position where augmented 
stack content in p differs from j(p) as defined in (5). Let j denote a stack that 
differs. First, we observe that the length of the stacks must be the same as the 
actions for both runs are the same (this, of course, can be proven more formally 
-but in interest of readability, where clear, we use informal arguments as these). 
Further, since t is the first position they differ, the difference has to be in the con- 
tents at the "top of the stack". According to the semantics of multi -pushdown 
systems, the change in the stack is possible only in the one stack active at time 
t — 1. We do a case analysis on the action: 

- If a* -1 = call, then according to constraints 4 and 11 the character at the top 
of the stack will be the same as defined in (5), a contradiction. 

- If a* -1 = internal, the stack atom and stack return tag will not change from 
time t — 1 because of constraints 5 and 12, contradicting that it differs from 
-f(p) defined in (5). 

- If a t ~ 1 = return, they could not possibly be different, since for both the top 
character is popped. 

Thus, the augmented stack contents must be identical and if at all, the differ- 
ence must be in the augmented global state. We already observed that the global 
state and active stack match, it remains to show that the tags and the atoms 
match. 

Case 2: dead-alive tag differs. Let t denote the least such where the two tags may 
differ. Fix j E [N], a stack corresponding to which the tag differ at this position 
t. 

Case 2(a): cfc = dead but 3t' > t such that s t = j. We rule this out by the 
following observation about p: 

Claim. Let j e [N]. Let = dead. Then, for all t' >t,s t ^ j and c?* = dead. 

Proof. If d* = dead, then from p being a run of P constraint 2 forces that s* ^ j. 
Consequently, from constraint 3 we conclude that = rf* = dead. By induc- 
tion on time the claim follows. 
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Case 2(b): dj = alive but Vt' > t s* ^ j. We make another observation which 
follows directly from constraint 3 that states a tag may not change unless the 
corresponding stack is active. 

Claim. Let j G [N]. Let dj = alive and further assume Vt' > t s l ^ j. Then, 
d l - = alive for all t' > t. 

As a consequence, for the tags to mismatch it must be the case that for all t' > t, 
d l j = a I i ve and s* ^ j . Though, such a run would not satisfy the Buchi condition 
in (c) leading to a contradiction. 



Case 3: willreturn-noreturn tag differs. Let t denote the least such position. 



Claim. Let j be in [N]. Let r* = noreturn, then for all t' > t where 



Rl 



r* = noreturn. 



Proof. We will prove the statement for the smallest t' with t' > t, and the claim 
will follow by induction on time. We consider the case where j = s*, as oth- 
erwise t' = t + 1 and the statement follows from condition 7. If a* = internal, 
again t' = t + 1 and the statement follows from condition 5. a* = return is not 
possible because of condition 6. Hence, the interesting case is when j = s* and 
a* = call. Then if t' is as defined above, we can conclude from semantics of the 
multi-pushdown systems that s* _1 = j with o* _1 = return. Further, the char- 
acter "popped" from the stack at time f ' — 1 is the same as the one that was 
"pushed" at time t - which was noreturn (condition 4). This in turn shows, that 
r* = noreturn (condition 6). 

The following claim which rules out the tag being incorrectly marked noreturn 
follows from the previous claim, along with condition 6 that disallows the ac- 
tion to be return when tag is noreturn. 

Claim. Let j in [N]. If r* = noreturn, then Vt' > t, 

Next, we consider the case when the tag is marked will return and show there is 
indeed a position in the future when the stack returns. 



Claim. Let j g [N] and r* = willreturn. Then, 3t' > t such that 



Proof. It is easy to show that while the height of the stack is more than that at 
time t the tag will be willreturn (using constraints 4-6). In case this stack never 
becomes dead, the Buchi condition (d) will not be satisfied. In the case the stack 
eventually becomes dead, condition 19 in the transition relation which requires 
tag to be noreturn when stack goes dead leads to contradiction. 
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Case 4: Atom differs. Let ip denote the smallest formula on which the atoms 
differ. Let t be the smallest position where the difference is for ip. That is, for 
some j 6 [N], A* does not match definition obtained for atoms for j(p) in (2) 
with respect to presence (or absence) of ip. j — s t_1 , for otherwise it is easy to 
conclude using constraint 9 (which states only the atom for an active stack can 
change) that one may find a smaller t where the runs differ with respect to ip. 
Let t* > t be the smallest such that s* = j. If such a t* does not exist then 
the stack would in fact be dead, and constraint 19 will imply that the atom is 
the empty set - matching definition of atom for j(p), a contradiction. Thus, we 
have tp present (respectively, absent) in atom Aj but p, t* ^= ip (respectively, 
p,i* |= ip). To conclude the previous statement, we made use of constraint 9 
and definition of atom for j(p) in (2). 

The rest of the analysis depends of the type of formula ip is. We consider the 
case when ip is an abstract-until formula in detail. The other cases for the atom 
are much simpler we point to parts of transition relation constraints (A in Fig- 
ure 4.2) and Biichi acceptance conditions (J-) required to reach a contradiction. 
Correctness of atomic propositions is ensured by constraint 8, that of prepo- 
sitional parts of the formulas by definition of atom, that of propagating next 
formulas by constraint 10, and for abstract-next by constraints 11-13, until for- 
mulas by atom and Biichi acceptance sets (a), and finally caller formulas (which 
are easier to handle since they are only passed down the stack) by constraints 
15-18. We also do not elaborate on the case of negation of abstract-until is incor- 
rectly present (i.e. release) which can be established with the help of transition 
constraints 11-14 and 17-18. 

i — e — e — e — • — e — • 



;' • — e — e — e — e — • 

t-i t t* 



Fig. 2. Visual representation of t-s in proof for abstract-until. Solid circles correspond to 
the particular stack being active. 

For the rest of the proof we focus on the subcase where ip = (piUf^ such 
that ip e Af but p, t* Y= ip- Let t > t* be smallest such with s*° = i. We can 
conclude that ip £ A l ° (trivially if i — j, and using constraint 18 and 9 other- 
wise), and p, t Y= ip (semantics of operator U-). Define t\, t 2 , . . . as sequence 
of positions with tk+i = succ^t^). From constraint 17 about abstract-until for- 
mula for active stack in atom corresponding to active stack, if ip G A\° , then 
either <p 2 € A*" or (pi e A l ° and X\ip e A*". Using the fact that ip is the smallest 
"incorrect" formula we rule out the former possibility (it will imply p, to (= (p2 - 
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a contradiction to p, t tp). Thus, p, t |= <pi and XfV> e A°. From constraints 
11-13 it follows that tp G A* 1 . Inductively, one may show that tp is in A* , A l > , 
A* 2 etc., and hence also p, t Q |= <pi, p, t x \= fa etc. 

We have established if an abstract-until formula is in an atom, the first part 
of the until formula is true for successive-abstract positions for the particular 
stack it is asserted on. The rest of the argument would have proceeded analo- 
gous to the standard until formula, by having a Biichi acceptance condition to 
ensure that eventually the second part of the formula holds. As such, the argu- 
ment does not work since the sequence of successive positions is not guaran- 
teed to be infinite. We need to ensure that we have satisfied the until formula by 
the last position through the transition relation. To be able to do that, we need 
to be able to identify these last positions locally. This is where the tags will be 
helpful - they help us exactly determine the cases when the sequence of suc- 
cessive positions where abstract until formula is to be asserted is finite and the 
case when it is infinite and we require a Biichi acceptance set. We now present 
a more formal treatment, which will illustrate some subtleties (or technicalities, 
as one may prefer) of the argument. 

First of all, we recall that from previous arguments we already know the 
tags are correct (that is, they follow the semantics as in (1), (4)). The sequence 
would be finite if succ a p ' l (tk) does not exist for some k. We do a case analysis 
on the action performed on the stack. If the action a tk is call, we consider two 
cases when the abstract-successor may not exist. First case is when the call does 

not return at all, that is Vi' > t k , 



> \w] * . In other words, Vt' > t k 



1, 





> \w tk+1 \ 







In such a case r, will be noreturn and hence because of 



constraint 14a there will be no abstract-next obligations. Second case is when 
the call does return. Even in such a case the successor may not exist if stack 
is dead at this point. Formally, if £' > t denotes the least position such that 
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t — successor will not exist if Vt" > t' , s* ^ i. In other words, d\ 



dead. Since this is the least such position, we can conclude that s* 1 = i with 
a* _1 = return with the character being popped the one that was pushed at time 
tk- Since a dead stack will not have any obligations (constraint 19), we may 
conclude from constraint 13 that the atom pushed at time t k has no abstract-next 
formula. To conclude, A\ k cannot have any abstract-next obligations if a tk — call 
and sucCp' z (tfe) is undefined. If the action a** = return, constraint 14b ensures the 
same. Finally, for the case a tk = internal, abstract-successor will not exist only if 
stack becomes dead, which is handled by constraint 14c. 

On the contrary, let us consider the case the sequence of abstract-successors 
is infinite. It must be the case that at each of these positions the tags are noreturn 
(follows from semantics of abstract-successor and definition of tags). We also 
observe that for each until formula there might be at most one such infinite 
sequence. Together these observations would imply the run does not satisfy 
the Biichi acceptance conditions (b). 

We have exhausted all possible cases and may safely claim that, indeed, 
P = l(p)- 
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5 Complexity Analysis with Bounded Runs 

5.1 Bounded Repeated Global State Reachability Problem 

In this section, we evaluate the computational complexity of the problem BREP 
as well as its variant restricted to a single accepting global state, written below 
BREP s i ng i c . First, note that there is a logarithmic-space reduction from BREP to 
BREPgingic by copying the multi-pushdown system as many times as the car- 
dinality of J- (as done to reduce non-emptiness problem for generalized Buchi 
automata to non-emptiness problem for standard Buchi automata). This allows 
us to conclude about the complexity upper bound for BMC itself but it is worth 
noting that the multi-pushdown system obtained by synchronization has an ex- 
ponential number of global states and therefore a refined complexity analysis 
is required to get optimal upper bounds. 

In order to analyze the complexity for BREP s i ng i e , we take advantage of two 
proof techniques that have been introduced earlier and for which we provide a 
complexity analysis that will suit our final goal. Namely, existence of an infinite 
fc-bounded run such that a final global state (gf,if) is repeated infinitely often 
is checked: 

(1) by first guessing a sequence of intermediate global states witnessing context 
switches of length at most k + 1, 

(2) by computing the (regular) set of reachable configurations following that 
sequence and then, 

(3) by verifying whether there is a reachable configuration leading to an infi- 
nite run such that (gf,if) is repeated infinitely often and no context switch 
occurs. 

The principle behind (2) is best explained in [21] but we provide a complex- 
ity analysis using the computation of post*(X) along the lines of [22]. Sets 
post*(X) need to be computed at most k times, which might cause an expo- 
nential blow-up (for instance if at each step the number of states were mul- 
tiplied by a constant). Actually, computing post* adds an additive factor at 
each step, which is essential for our complexity analysis. Let us define the prob- 
lem BREP s i n gi c (bounded repeated global state reachability problem for multi- 
pushdown systems): 

input: a multi-pushdown system P, an initial configuration ((g, i) , (±) N ), a 

global state (gf,if) and a bound k e N. 
question: Is there an infinite fc-bounded run p from ((g,i) , (-L)^) such that 

(g-f, if) is repeated infinitely often? 

Proposition 11. BR£P sing i can be solved in time C(|P| fe+1 x p(k, \P\)) for some 
polynomial p(-, •). 

The proof of Proposition 11 is at the heart of our complexity analysis and 
it relies on constructions from [11,22]. Moreover, we shall take advantage of it 
when the input system is precisely P. 
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Proof. We use the following results on pushdown systems. Let P = (G, P, A) 
be a pushdown system and A be a P-automaton encoding a regular set of con- 
figurations. We recall that a P-automaton A = (Q, P, S, G, F) is a finite-state au- 
tomaton over the alphabet r such that G C Q [22]. A configuration (<?, u>) is 
recognized by .4 (written (g, w;) € L(.A)) H- g — g' in ^4 for some accepting 
state g' E F. Hence, the set G in (Q, r, S, G, F) can be viewed as a set of ini- 
tial states and acceptance is relative to the initial state g that allows to satisfy 
g — > w g'. Note that a P-automaton is nothing else than a means to represent a 
regular set of configurations. 

Let us list a few essential properties. 

(i) Let post* (A) = {(g,w) : 3{g',w') £ L(A) s.t. {g',w') (g,w) in P}. The 
set post* (^4) can be represented by a P-automaton A' such that the number 
of states for A' is bounded by the number of states for A plus card(G) x 
card(P) and the time required to compute A' is quadratic in its number 
of states and in card(P). Clearly A' can be computed in polynomial time 
in \A\ + |P|, see e.g. [22] but we shall also take advantage of the fact that 
the number of states is at most augmented by a constant factor [22, Section 
3.3.3]. 

(ii) Checking whether there is an infinite run p starting from a configuration in 
L(A) and such that the global state (#/,«/) is repeated infinitely often, can 
be done in polynomial time in |„4| + |P|, see e.g. [11]. 

Let P — (G x [N] ,N,r,Ai, . . . , A N ) be an enhanced multi-pushdown sys- 
tem, (g, i) and (gf, if) be global states and k e N. For every (g%,ii) ■ ■ ■ (<7Mz) € 
(G x [N])* such that / < k + 1, (g, i) = {gi,h) and if = i t , we check whether 
there is an infinite run p from ((g, i), (J-)^) such that 

1 . (gf , if ) is repeated infinitely often, 

2. the sequence of active stacks in p is exactly i\ - ■ - ii and (gi,i\) ■ ■ ■ {gi,ii) wit- 
nesses which are the intermediate global states that there is a context switch. 

We show that the existence of such a run can be done in polynomial time, which 
entails an EXPTIME upper bound since there is an exponential amount of se- 
quences of the form (gi,ii) ■ ■ ■ {gi,ii) with I < k + 1. 

The algorithm has two steps. First, we build an automaton A encoding a 
(regular) set of configurations from (G x [N] , P, A it ) corresponding to the con- 
figurations of P restricted to the i/-th stack that can be reached from Ugi, (J-) ) 
via the sequence (gi,h) ■ ■ ■ (gi,ii)- This is precisely the approach followed in [21] 
by picking a sequence of context switches and doing a post*( ) in that order to 
get the set of all reachable configurations. We shall see that A can be indeed 
computed in polynomial time in |P|. Then, we use the polynomial time algo- 
rithm from (ii) above to check whether there is an infinite run p for the push- 
down system (G x {ii }, P, Ai l ) that starts from a configuration in Ij(A) and such 
that the global state (gf,if) is repeated infinitely often. It remains to check that 
A can be computed in polynomial time in |P|. 
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Let us introduce some notation. We write Pj to denote the pushdown sys- 
tem (G x [N] , r, Aj). Note that P and Pj have identical sets of global states: Pj 
corresponds to P restricted to the transition relation Aj. Given a P-automaton 
or a -automaton A = (Q, T,S,G x [N] , F), we write FSA(_4, (g, i)) to denote a 
finite-state automaton such that for every w G P*,wehavew G L(FSA(_4, 
iff ((5, i) ,w) G L(„4). Note that FSA(_4, (5, z)) can be easily obtained from A by 
replacing (g, i) by a new state q that is also the initial state. Similarly given a 
finite-state automaton A over the alphabet P, we write PA(A,(g,i)) to denote a 
P-automaton such that 

1. for every {g 1 , i 1 ) ^ (g, i), for every w G P* 7 ((#', i') , iw) £ L(PA(.4, (.9, i))), 

2. for every w G P*, ((5, i) , to) G L(PA(_4, (3, i))) iff to G L(_4). 

Without any loss of generality we can assume that G x [JV] is disjoint from 
the set of states of A (otherwise, we rename the states). PA(_4, (g,i)) can be 
obtained from A by adding all the states from G x [N] and by replacing in the 
transition relation, the initial state of A by (g,i). Observe that the operations 
post*(-)/ FSA(-) and PA(-) define automata where the increase in the number of 
states is bounded by card(G) x N. Hence, performing such operations at most 
3 x (k + 1) times, irrespective of the ordering of these operations, will increase 
the number of states by at most card(G) x JVx3x (HI). 

Now, let us define the (simple) algorithm that consists in computing a Pj,- 
automaton that represents the set of configurations with global state (gi,ii) 
reachable from the initial configuration and following the sequence of inter- 
mediate global states (that witness context switches too). 

Let a := 1 and define the finite-state automata A\, An over the alphabet 
P such that \j{Ai) = ■■■ = L(A N ) = {-L}. While a < I, perform the following 
steps: 

1. Compute a P ia -automaton B that represents all the configurations reach- 
able from a configuration of the form ((g a ,i a ) , w) with w G h{Ai a ) using 
only the stack i a . 

That is, B := post*(PA(_4j Q , (g a ,i a ))) (computed from P ia ); 

2. If a < I, then update Ai a so that it represents the set of contents for the 
stack i a from the configurations represented by B. Otherwise return the P- 
automaton PA(_4 i; ,{gi,k)). 

Thatis,if a < /thenA a := FSA(i3, (g a+ i,i a+ i)) else return PA(Ai t , (gi,k)). 

3. a := a + 1. 

Let the P it -automaton returned by the above algorithm be denoted by A. Then, 
as explained earlier, we check whether there is an infinite run p for (Gx {ii }, P, A tl ) 
that starts from a configuration in L(A) and such that (gf,if) is repeated in- 
finitely often. 

Note that A is obtained from automata with a few states after applying the 
operations post*(-), FSA(-) and PA(-) at most 3 x (k + 1) times. Hence, the size 
of A is in 0([3 x (k + 1) x card(G) x TV] 2 x card(P)). Detecting whether there is 
an infinite run in which {gf,if) is repeated infinitely often, will be polynomial 
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in 3 x (k + 1) x card(G) x N x card(-T). As a consequence, the complete decision 
procedure requires time in C(|P| fc+1 x p(k, |P|)) for some polynomial p(-, •). 

Corollary 12. (I) BMC with k encoded with a unary representation is ExpTime- 
complete. (II) BMC with k encoded with a binary representation is in 2ExpTime. 

In Corollary 12(1), ExpTlME-hardness is inherited from the case with a single 
stack [11]. We have seen that there is an infinite k -bounded run p from (g, (-L) jV ) 
such that p \= <f> iff there exists a fc-bounded run p from (5, (-L) ) for some 5 € Iq 
from some multi-pushdown system P such that for each F e J- there exists a 
j/£F that is repeated infinitely often. Since P, I a and JF are of exponential size, 
the second proposition can be reduced to an exponential number of instances 
of BREPgingio in which the multi-pushdown system is of exponential-size only. 
Using the parameterized complexity upper bound C(|P| fc+1 x p(k, \P\)), we 
can conclude that BMC with k encoded with an unary representation can be 
solved in exponential time. Corollary 12(11) is then a consequence of the above 
argument. 

It is worth also noting that [9, Theorem 15] would lead to an EXPTIME up- 
per bound for BMC if k is not part of the input, see the EXPTIME upper bound 
for the problem NESTED-TRACE-SAT(£~ , k) introduced in [9]; in our case k is 
indeed part of the input and in that case, the developments in [9] will lead to 
a 2EXPTIME bound by using the method used for NESTED-TRACE-SAT(£~ , k) 
even if k is encoded in unary. Indeed, somewhere in the proof, the path expres- 
sion succ<k is exponential in the value k. Hence, Corollary 12(1) is the best we 
can hope for when k is part of the input of the model-checking problem. 

Adding regularity constraints about stack contents preserves the complexity 
upper bound. We write BMC re9 to denote the extension of BMC in which Multi- 
CaRet is replaced by Multi-CaRet re9 (see Section 3.1). 

Corollary 13. (I) BMC reg with k encoded with an unary representation is ExpTime- 
complete. (II) BMC reg with k encoded with a binary representation is in 2ExpTime. 

Let us explain how the construction of P can be updated so that BMC reff 
can be solved almost as BMC. Obviously, we have to take care of regularity 
constraints and to do so, we enrich the global states with pieces of information 
about the regularity constraints satisfied by the current stack content. Typically, 
such pieces of information shall be finite-state automata enriched with a set of 
states and an update on a stack triggers an update on the set of states. Moreover, 
we take advantage of the stack mechanism to recover previous values of such 
pieces of information. 

Let us provide a bit more detail. Suppose that the formula <f> contains the fol- 
lowing regularity constraints in(s 1 ,yl 1 ), . . ., in(s n , .A n ). We extend the notion 
of augmented run so that global states are enriched with triples (si,Ai,Xi), 
... , (s n ,Ai,X n ) where each Xi is a set of states from Ai- By definition, X; is 
the set of states from Ai that can be reached from some initial state of Ai with 
the current content of the stack s^. Hence, Xi is uniquely defined but since Ai 
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is not necessarily deterministic, Xi may not be a singleton. In the definition of 
P, (si,Ai,Xi), (s„, Ai,X n ) are updated according to the updates on stacks 
but we have to be a little bit careful. Before explaining the very reason, first note 
that if in(si,Ai) belongs to an atom of some global state of P, we impose that 
Xi contains an accepting state of Ai, which amounts to check that the current 
content of the stack Si is indeed a pattern from L(Ai). Let us explain now how 
to update the values (si,Ai,Xi), ... , (s„, Ai,X n ). When a call action is per- 
formed on a stack s with letter a, each value (sj, Ai, Xj) with = s is replaced 
by (si, Ai, Yi) where Yi is the set of states that can be reached from some state 
of Xi by reading a (as what is done in the power set construction for finite-state 
automata). Moreover, we extend the stack alphabet of P so that each letter of the 
stack alphabet is also enriched with values (si,Ai,Xi), (s n ,.A 1 ,X n ).When 
a call action is performed in P, we perform also a call in P, but with a letter en- 
riched with the values (si,Ai,Xi), (s n ,Ai,X n ) on the stack. Now, when a 
return is performed on a stack s, the current values (si , Ai , X\ ),..., (s n , A\ , X n ) 
on the top of the stack are used to restore those values in the global state of P. 
Similarly, when an internal action is performed on a stack s, the current values 
(si,Ai,Xi), (s„, A\,X n ) on the top of the stack are also used to get the new 
values in the global state (but this time these values are not popped from the 
stack). By observing that values of the form (si,Ai,Xi), (s n ,Ai,X n ) are 
of linear size in the size of <f>, all the complexity analysis we have performed 
for BMC can be easily adapted to BMC refl ; actually, the arguments are identical 
except that the construction of P is a bit more complex, as described above. 

5.2 Complexity Results for Other Boundedness Notions 

In this section, we focus on the complexity analysis for OBMC and PBMC based 
not only on previous developments but also on the complexity of repeated 
reachability problems when runs are either fc-phase-bounded or from ordered 
multi-pushdown systems. Let OREP s i ng i c be the variant of BREP s j ng i c with or- 
dered multi-pushdown systems: 

input: an ordered multi-pushdown system P, a configuration ((<?, i) , (±.) N ), a 
global state (gf,if). 

question: Is there an infinite run p from ((g,i) , {-L) N ) such that (gf,if) is re- 
peated infinitely often? 

According to [3, Theorem 11], OREP s i ng io restricted to ordered multi-pushdown 
systems with k stacks can be checked in time C(|P| 2 ) where d is a constant. 
Our synchronized product P is exponential in the size of formulas (see Sec- 
tion 4), whence order-bounded model-checking problem OBMC can be solved 
in 2ExpTime too (k is linear in the size of our initial P). Note that Condition (C) 
from Theorem 10 needs to be used here. 

Corollary 14. OBMC is in 2ExpTime. 
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Corollary 14 is close to optimal since non-emptiness problem for ordered 
multi-pushdown systems is 2ETlME-complete. In addition, the same complex- 
ity upper bounds apply even when regularity constraints on stack contents are 
added. 

Now, let us conclude this section by considering fc-bounded-phase runs. 
Again, let us define the problem PBREP sing i c : 

input: a multi-pushdown system P, an initial configuration ((g, i) , (A_) N ^, a 

global state (gt,it) and a bound k E N. 
question: Is there an infinite fc-phase-bounded run p from ((g, i) , (J-)^) such 

that (<?/,«/) is repeated infinitely often? 

In [4, Section 5], it is shown that non-emptiness for fc-phase multi-pushdown 
systems can be reduced to non-emptiness for ordered multi-pushdown systems 
with 2k stacks. By inspecting the proof, we can conclude: 

1. a similar reduction can be performed for reducing the repeated reachability 
of a global state, 

2. non-emptiness of fc-phase P with N stacks is reduced to non-emptiness of 
one of N instances of P' with 2fc stacks and each P' is polynomial-size in 
k + \P\. 

Therefore, PBREP single is in 2EXPTIME too. Indeed, there is an exponential num- 
ber of instances and checking non-emptiness for one of them can be done in 
double exponential time. By combining the different complexity measures above, 
checking an instance of PBREP sing i c with P requires time in 

2<i 2k 

0(N k x P ) 

which is clearly double-exponential in the size of P. Consequently, bounded 
model-checking with bounded-phase multi-pushdown systems is in 2EXPTIME 
too if the number of phases is encoded in unary (and in 3EXPTIME otherwise). 

Corollary 15. (I) PBMC where k is encoded in unary is in 2ExpTime. (II) PBMC 
where k is encoded in binary is in 3ExpTime. 

Again, the same complexity upper bounds apply when regularity constraints 
are added. Note that an alternative proof of Corollary 15(1) can be found in the 
recent paper [10, Theorem 5.2] where fragments of MSO are taken into account. 



6 Conclusion 

In this note, we have shown that model-checking over multi-pushdown sys- 
tems with fc-bounded runs is ExpTlME-complete when fc is an input bound en- 
coded in unary, otherwise the problem is in 2EXPTIME with a binary encoding. 
The logical specification language is a version of C a Ret in which abstract tem- 
poral operators are related to calls and returns and parameterized by the stacks, 
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and regularity constraints on stack contents are present too. A 2EXPTIME up- 
per bound is also established with ordered multi-pushdown systems or with 
fc-phase bounded runs and these are optimal upper bounds with a unary encod- 
ing of k. Our complexity analysis rests on the reduction from model-checking to 
repeated reachability and on complexity analysis for pushdown systems. The 
characterization of the complexity when k is encoded in binary is still open 
and we conjecture that an exponential blow-up may occur. More generally our 
work can be pursued in several directions including refinements of the com- 
plexity analysis but also increase of the expressive power of the logics while 
keeping the same worst-case complexity upper bounds. 
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